32.0.0 Black Diamond
IR
433223
CloudBasic
13:28:16
11/06/2021
Order 275594 04-D4E5A.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
3f4cc7f69f0d3b70a20dfd2243bc16db
b0e2841f5c7d754e4af796088b659c204edf5fd8
6e556200dba57fdce36308bbd34c19398ecf627828627b380244aeede2f90176
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 275594 04-D4E5A.exe.log
true
B666A4404B132B2BF6C04FBF848EB948
D2EFB3D43F8B8806544D3A47F7DAEE8534981739
7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
C:\Users\user\AppData\Local\Temp\tmp285B.tmp
true
56D17E4A40FC6692A30DDC6AB12DEA7A
FFDD7B9D79A37F71C7AD8DDFEA48CC2C48981951
6BDE14E7796411E51AEF9BBAABAA4BFDCD1682BB8024B85F82174BC036967A9E
C:\Users\user\AppData\Roaming\EDclkRlYpO.exe
true
3F4CC7F69F0D3B70A20DFD2243BC16DB
B0E2841F5C7D754E4AF796088B659C204EDF5FD8
6E556200DBA57FDCE36308BBD34C19398ECF627828627B380244AEEDE2F90176
184.168.131.241
filmarabia.com
true
184.168.131.241
www.filmarabia.com
true
unknown
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook